diff --git a/interfaces/kits/napi/include/cm_napi_user_trusted_cert.h b/interfaces/kits/napi/include/cm_napi_user_trusted_cert.h
index 27a889c70b79102870f208a5f56c0bd5b6f1f145..7a4b03282311b831fff092da06be8bc7279752f7 100755
--- a/interfaces/kits/napi/include/cm_napi_user_trusted_cert.h
+++ b/interfaces/kits/napi/include/cm_napi_user_trusted_cert.h
@@ -21,6 +21,7 @@
 
 namespace CMNapi {
     napi_value CMNapiInstallUserTrustedCert(napi_env env, napi_callback_info info);
+    napi_value CMNapiInstallUserTrustedCertSync(napi_env env, napi_callback_info info);
     napi_value CMNapiUninstallAllUserTrustedCert(napi_env env, napi_callback_info info);
     napi_value CMNapiUninstallUserTrustedCert(napi_env env, napi_callback_info info);
 }  // namespace CMNapi
diff --git a/interfaces/kits/napi/src/cm_napi.cpp b/interfaces/kits/napi/src/cm_napi.cpp
index 4accac25470875170a872c9ce081ff6e42064ef3..0101125861988defbba801e7bee61ee4e1c4e921 100644
--- a/interfaces/kits/napi/src/cm_napi.cpp
+++ b/interfaces/kits/napi/src/cm_napi.cpp
@@ -150,6 +150,7 @@ extern "C" {
 
             /* user ca */
             DECLARE_NAPI_FUNCTION("installUserTrustedCertificate", CMNapiInstallUserTrustedCert),
+            DECLARE_NAPI_FUNCTION("installUserTrustedCertificateSync", CMNapiInstallUserTrustedCertSync),
             DECLARE_NAPI_FUNCTION("uninstallAllUserTrustedCertificate", CMNapiUninstallAllUserTrustedCert),
             DECLARE_NAPI_FUNCTION("uninstallUserTrustedCertificate", CMNapiUninstallUserTrustedCert),
             DECLARE_NAPI_FUNCTION("getAllUserTrustedCertificates", CMNapiGetAllUserTrustedCertList),
diff --git a/interfaces/kits/napi/src/cm_napi_common.cpp b/interfaces/kits/napi/src/cm_napi_common.cpp
index 1634b50a7b2842919990a00adf659c405374b35b..58da3a826fa9ba6405ecb774dac30a4f625a8d8b 100644
--- a/interfaces/kits/napi/src/cm_napi_common.cpp
+++ b/interfaces/kits/napi/src/cm_napi_common.cpp
@@ -453,16 +453,16 @@ napi_value GenerateBusinessError(napi_env env, int32_t errorCode)
         return nullptr;
     }
 
-    napi_value businessError = nullptr;
-    NAPI_CALL(env, napi_create_object(env, &businessError));
-
     napi_value code = nullptr;
     int32_t outCode = TranformErrorCode(errorCode);
     NAPI_CALL(env, napi_create_int32(env, outCode, &code));
-    NAPI_CALL(env, napi_set_named_property(env, businessError, BUSINESS_ERROR_PROPERTY_CODE.c_str(), code));
+
     napi_value message = nullptr;
     NAPI_CALL(env, napi_create_string_utf8(env, errorMsg, NAPI_AUTO_LENGTH, &message));
-    NAPI_CALL(env, napi_set_named_property(env, businessError, BUSINESS_ERROR_PROPERTY_MESSAGE.c_str(), message));
+
+    napi_value businessError = nullptr;
+    NAPI_CALL(env, napi_create_error(env, nullptr, message, &businessError));
+    NAPI_CALL(env, napi_set_named_property(env, businessError, BUSINESS_ERROR_PROPERTY_CODE.c_str(), code));
     return businessError;
 }
 
diff --git a/interfaces/kits/napi/src/cm_napi_user_trusted_cert.cpp b/interfaces/kits/napi/src/cm_napi_user_trusted_cert.cpp
index 980c3b39ae54366a530033597bc4d223d8e1cac9..2407ead39c19efe04f6fb220b7736d418560439c 100644
--- a/interfaces/kits/napi/src/cm_napi_user_trusted_cert.cpp
+++ b/interfaces/kits/napi/src/cm_napi_user_trusted_cert.cpp
@@ -26,6 +26,7 @@
 namespace CMNapi {
 namespace {
 constexpr int CM_NAPI_USER_INSTALL_ARGS_CNT = 2;
+constexpr int CM_NAPI_USER_INSTALL_SYNC_ARGS_CNT = 2;
 constexpr int CM_NAPI_USER_UNINSTALL_ARGS_CNT = 2;
 constexpr int CM_NAPI_USER_UNINSTALL_ALL_ARGS_CNT = 1;
 constexpr int CM_NAPI_CALLBACK_ARG_CNT = 1;
@@ -67,21 +68,23 @@ static void FreeUserCertAsyncContext(napi_env env, UserCertAsyncContext &context
     CM_FREE_PTR(context);
 }
 
-static int32_t GetUserCertData(napi_env env, napi_value object, UserCertAsyncContext context)
+static int32_t GetUserCertData(napi_env env, napi_value object, CmBlob **outCert)
 {
-    context->userCert = static_cast<CmBlob *>(CmMalloc(sizeof(CmBlob)));
-    if (context->userCert == nullptr) {
+    CmBlob *userCert = static_cast<CmBlob *>(CmMalloc(sizeof(CmBlob)));
+    if (userCert == nullptr) {
         CM_LOG_E("could not alloc userCert blob memory");
         return CMR_ERROR_MALLOC_FAIL;
     }
-    (void)memset_s(context->userCert, sizeof(CmBlob), 0, sizeof(CmBlob));
+    (void)memset_s(userCert, sizeof(CmBlob), 0, sizeof(CmBlob));
 
-    napi_value result = GetUint8Array(env, object, *(context->userCert));
+    napi_value result = GetUint8Array(env, object, *(userCert));
     if (result == nullptr) {
         CM_LOG_E("could not get userCert data");
-        return CMR_ERROR_INVALID_OPERATION;
+        CM_FREE_PTR(userCert);
+        return CMR_ERROR_INVALID_ARGUMENT;
     }
 
+    *outCert = userCert;
     return CM_SUCCESS;
 }
 
@@ -119,7 +122,7 @@ static napi_value ParseCertInfo(napi_env env, napi_value object, UserCertAsyncCo
         return nullptr;
     }
 
-    int32_t ret = GetUserCertData(env, userCertValue, context);
+    int32_t ret = GetUserCertData(env, userCertValue, &context->userCert);
     if (ret != CM_SUCCESS) {
         return nullptr;
     }
@@ -200,6 +203,36 @@ static napi_value ParseUninstallUserCertParams(napi_env env, napi_callback_info
     return GetInt32(env, 0);
 }
 
+static int32_t ParseInstallUserCertSyncParams(napi_env env, napi_callback_info info, CmBlob **userCert,
+    CmCertScope &installScope)
+{
+    size_t argc = CM_NAPI_USER_INSTALL_SYNC_ARGS_CNT;
+    napi_value argv[CM_NAPI_USER_INSTALL_SYNC_ARGS_CNT] = { nullptr };
+    napi_get_cb_info(env, info, &argc, argv, nullptr, nullptr);
+
+    if (argc != CM_NAPI_USER_INSTALL_SYNC_ARGS_CNT) {
+        CM_LOG_E("arguments count is not expected when installing user cert sync");
+        return CMR_ERROR_INVALID_ARGUMENT;
+    }
+
+    size_t index = 0;
+    int32_t ret = GetUserCertData(env, argv[index], userCert);
+    if (ret != CM_SUCCESS) {
+        CM_LOG_E("could not get userCert");
+        return CMR_ERROR_INVALID_ARGUMENT;
+    }
+
+    index++;
+    uint32_t scope = CM_ALL_USER;
+    napi_value result = ParseUint32(env, argv[index], scope);
+    if (result == nullptr) {
+        CM_LOG_E("could not get install scope");
+        return CMR_ERROR_INVALID_ARGUMENT;
+    }
+    installScope = static_cast<CmCertScope>(scope);
+    return CM_SUCCESS;
+}
+
 static napi_value ParseUninstallAllUserCertParams(napi_env env, napi_callback_info info, UserCertAsyncContext context)
 {
     size_t argc = CM_NAPI_USER_UNINSTALL_ALL_ARGS_CNT;
@@ -386,6 +419,31 @@ static napi_value UninstallAllUserCertAsyncWork(napi_env env, UserCertAsyncConte
     return promise;
 }
 
+static int32_t InstallUserCertSyncExecute(CmBlob *userCert, const CmCertScope scope, CmBlob *certUri)
+{
+    int32_t ret;
+    // alias is empty string
+    uint8_t alias[1] = { 0 };
+    CmBlob certAlias = { .size = sizeof(alias), .data = alias };
+
+    uint32_t userId = 0;
+    if (scope == CM_CURRENT_USER) {
+        userId = INIT_INVALID_VALUE;
+    } else if (scope == CM_GLOBAL_USER) {
+        userId = 0;
+    } else {
+        CM_LOG_E("invalid certificate scope");
+        return CMR_ERROR_INVALID_ARGUMENT;
+    }
+
+    ret = CmInstallUserCACert(userCert, &certAlias, userId, true, certUri);
+    if (ret != CM_SUCCESS) {
+        CM_LOG_E("install user cert sync, init certUri failed");
+        return ret;
+    }
+    return ret;
+}
+
 napi_value CMNapiInstallUserTrustedCert(napi_env env, napi_callback_info info)
 {
     UserCertAsyncContext context = InitUserCertAsyncContext();
@@ -411,6 +469,38 @@ napi_value CMNapiInstallUserTrustedCert(napi_env env, napi_callback_info info)
     return result;
 }
 
+napi_value CMNapiInstallUserTrustedCertSync(napi_env env, napi_callback_info info)
+{
+    CmBlob *userCert = nullptr;
+    CmCertScope installScope;
+    uint8_t uri[OUT_AUTH_URI_SIZE] = { 0 };
+    CmBlob certUri = { sizeof(uri), uri };
+
+    int32_t ret = CM_SUCCESS;
+    do {
+        ret = ParseInstallUserCertSyncParams(env, info, &userCert, installScope);
+        if (ret != CM_SUCCESS) {
+            CM_LOG_E("parse install user cert sync params failed");
+            break;
+        }
+
+        ret = InstallUserCertSyncExecute(userCert, installScope, &certUri);
+        if (ret != CM_SUCCESS) {
+            CM_LOG_E("install user cert sync execute failed");
+            break;
+        }
+    } while (0);
+
+    if (ret != CM_SUCCESS) {
+        CM_LOG_E("install user cert sync failed, ret = %d", ret);
+        napi_throw(env, GenerateBusinessError(env, ret));
+        return nullptr;
+    }
+    napi_value result = ConvertResultCertUri(env, &certUri);
+    FreeCmBlob(userCert);
+    return result;
+}
+
 napi_value CMNapiUninstallUserTrustedCert(napi_env env, napi_callback_info info)
 {
     UserCertAsyncContext context = InitUserCertAsyncContext();
diff --git a/interfaces/kits/napi/src/dialog/cm_napi_dialog_common.cpp b/interfaces/kits/napi/src/dialog/cm_napi_dialog_common.cpp
index 149fa7eb55e8579ec3de3ebdc5166fa99df13e68..d72c8f443b1495f9708370c86e62b11095c793e7 100644
--- a/interfaces/kits/napi/src/dialog/cm_napi_dialog_common.cpp
+++ b/interfaces/kits/napi/src/dialog/cm_napi_dialog_common.cpp
@@ -133,7 +133,7 @@ static std::string EncodeBase64(const uint8_t *indata, const uint32_t length)
         encodeStr += g_base64Table[(triple >> BYTE_INDEX_ONE   * BYTE_SHIFT_6) & BASE64_URL_TABLE_SIZE];
         encodeStr += g_base64Table[(triple >> BYTE_INDEX_ZONE  * BYTE_SHIFT_6) & BASE64_URL_TABLE_SIZE];
     }
-    
+
     switch (BASE64_GROUP_NUM - (i % BASE64_GROUP_NUM)) {
         case BYTE_END_TWO:
             encodeStr.replace(encodeStr.length() - BYTE_END_TWO, 1, BASE64_PADDING);
diff --git a/interfaces/kits/napi/src/dialog/cm_napi_open_install_dialog.cpp b/interfaces/kits/napi/src/dialog/cm_napi_open_install_dialog.cpp
index 5f842ca2d5e687fba70365c77ed109da18ef6209..d28ad1bd0e5b1cd3caf33c7feea84dc4f5fe2922 100644
--- a/interfaces/kits/napi/src/dialog/cm_napi_open_install_dialog.cpp
+++ b/interfaces/kits/napi/src/dialog/cm_napi_open_install_dialog.cpp
@@ -169,7 +169,7 @@ static napi_value CMCheckArgvAndInitContext(std::shared_ptr<CmUIExtensionRequest
         CM_LOG_E("certificateScope invalid");
         return nullptr;
     }
-    
+
     // Parse fourth argument for cert.
     if (GetUint8ArrayToBase64Str(asyncContext->env, argv[PARAM3], asyncContext->certStr) == nullptr) {
         CM_LOG_E("cert is not a uint8Array or the length is 0 or too long.");
diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_permission_check.h b/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_permission_check.h
index 429d151f45261bf8fae0ea0201c59f1aed0571fb..22ffdaa4465147e36a4645bcd7864e9238e328e5 100755
--- a/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_permission_check.h
+++ b/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_permission_check.h
@@ -26,6 +26,8 @@ bool CmHasPrivilegedPermission(void);
 
 bool CmHasCommonPermission(void);
 
+bool CmHasEnterpriseUserTrustedPermission(void);
+
 bool CmHasUserTrustedPermission(void);
 
 bool CmHasSystemAppPermission(void);
diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_check.c b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_check.c
index 8b41023a4241dfca9d9276a55ae0ecc978fac2db..c2b90f6e209f1e0bd86ef71fdb54d57a9dc9fc26 100644
--- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_check.c
+++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_check.c
@@ -466,11 +466,15 @@ static bool CmCheckAndUpdateCallerUserId(const uint32_t inputUserId, uint32_t *c
         return true;
     }
 
-    /* caller is hap, callerUserId is not 0 */
-    if (inputUserId != INIT_INVALID_VALUE) {
+    /* caller is hap, callerUserId can be 0 or 0xFFFFFFFF */
+    if (inputUserId != 0 && inputUserId != INIT_INVALID_VALUE) {
         CM_LOG_E("caller is hap, input userId %u is not supported", inputUserId);
         return false;
     }
+    if (inputUserId == 0) {
+        CM_LOG_D("hap install in public location: update caller userId from %u to 0", *callerUserId);
+        *callerUserId = 0;
+    }
     return true;
 }
 
@@ -492,16 +496,11 @@ int32_t CmServiceInstallUserCertCheck(struct CmContext *cmContext, const struct
         return ret;
     }
 
-    if (!CmHasCommonPermission() || !CmHasUserTrustedPermission()) {
+    if (!CmHasEnterpriseUserTrustedPermission() && !CmHasUserTrustedPermission()) {
         CM_LOG_E("install user cert: caller no permission");
         return CMR_ERROR_PERMISSION_DENIED;
     }
 
-    if (!CmIsSystemApp()) {
-        CM_LOG_E("install user cert: caller is not system app");
-        return CMR_ERROR_NOT_SYSTEMP_APP;
-    }
-
     if (!CmCheckAndUpdateCallerUserId(userId, &(cmContext->userId))) {
         CM_LOG_E("input userId is invalid");
         return CMR_ERROR_INVALID_ARGUMENT;
diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_permission_check.cpp b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_permission_check.cpp
index 1f788a23c7317d14b06b8ef77fb8bb8f8aff60ce..fc66412fdc9cfbacf84d03314ca6774e7dbdf1b7 100755
--- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_permission_check.cpp
+++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_permission_check.cpp
@@ -45,6 +45,11 @@ bool CmHasCommonPermission(void)
     return HasPermission("ohos.permission.ACCESS_CERT_MANAGER");
 }
 
+bool CmHasEnterpriseUserTrustedPermission(void)
+{
+    return HasPermission("ohos.permission.ACCESS_ENTERPRISE_USER_TRUSTED_CERT");
+}
+
 bool CmHasUserTrustedPermission(void)
 {
     return HasPermission("ohos.permission.ACCESS_USER_TRUSTED_CERT");